Revise SPF Requirements

[adhilto]

💡 Summary

• Delete MS.EXO.2.1v1
• Revise MS.EXO.2.2v1 to “An SPF policy SHALL be published for each domain that fails all non-approved senders.”

Motivation and context

• Maintaining a list is not configuration item (more of a prerequisite)
• There was some confusion about what to do with the list once you have it.
• Also some confusion about IP vs domains (e.g., include:spf.protection.outlook.com).
• "only these" is ambiguous
• Explicitly spell out that non-approved senders should fail

Implementation notes

See https://github.com/cisagov/ScubaGear/issues/857 for a related technical issue.

Acceptance criteria

• [ ] The baseline is revised
• [ ] The Rego is updated to reflect the change

[adhilto]

See https://github.com/cisagov/ScubaGoggles/pull/188 for this change which has already been made in the Gmail baseline.

[isab-m]

Issue handoff 4/16, I was able to complete:

• Deletion of MS.EXO.2.1v1 baseline markdown
• Deletion of MS.EXO.2.1v1 rego test
• Revision of MS.EXO.2.2v1 baseline markdown
• Revision of MS.EXO2.2v1 rego test/policy name to MS.EXO.2.1v1
• Add rego unit test for SPF redirection in PowerShell\ScubaGear\Testing\Unit\Rego\EXO\EXOConfig_02_test.rego, as seen in commit https://github.com/cisagov/ScubaGoggles/pull/188/commits/1a1f813ff33819cb96303563e5af4797048b0949

Still needs:

• SPF Baseline exo revision for SPF redirection in PowerShell\ScubaGear\Rego\EXOConfig.rego, as seen in commit https://github.com/cisagov/ScubaGoggles/pull/188/commits/53701b4b0e249d2e765fd9f5256a47a811349679

Used https://github.com/cisagov/ScubaGoggles/pull/188 for referencing the changes needed for this issue